Smitfraud-C [Archive] - Safer-Networking Forums

View Full Version : Smitfraud-C

roguewarrior

2007-09-15, 18:49

HJT report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:46:08 AM, on 9/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Common Files\mexe22011.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\YSTEM3~1\smss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\?dobe\r?ndll.exe
C:\Documents and Settings\Joe Owens\Application Data\WinTouch\WinTouch.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Words\Words.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - blank (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {66ED011A-0973-4CE1-B6A2-700028626BC1} - blank (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [mexe] C:\Program Files\Common Files\mexe22011.exe
O4 - HKLM\..\Run: [{4C-CE-E3-39-ZN}] C:\Documents and Settings\Joe Owens\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\RunOnce: [SpybotDeletingA5237] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5901] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4294] command /c del "C:\WINDOWS\system32\drivers\core.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6440] cmd /c del "C:\WINDOWS\system32\drivers\core.sys"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sblo] "C:\PROGRA~1\COMMON~1\YSTEM3~1\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Pjcopnst] "C:\Program Files\?dobe\r?ndll.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Joe Owens\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\RunOnce: [gi1415365535] "C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\giK7D0S3.exe" /resume:"C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\22K7CS8B" /exename:"C:\Documents and Settings\Joe Owens\Local Settings\Temporary Internet Files\Content.IE5\4DQF8PA7\FriendFinderMessengerInstaller_adult_2_5_1[1].exe"
O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Joe Owens\Local Settings\Temp\thinksnet.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\rtelekiko.html

--
End of file - 11370 bytes

Shaba

2007-09-16, 11:14

Hi roguewarrior

1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report

roguewarrior

2007-09-17, 03:05

ComboFix 07-09-14.2 - "Joe Owens" 2007-09-16 19:52:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.544 [GMT -5:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\JOEOWE~1\APPLIC~1\PPATCH~1
C:\DOCUME~1\JOEOWE~1\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\JOEOWE~1\APPLIC~1\WinTouch\WinTouch.exe
C:\DOCUME~1\JOEOWE~1\APPLIC~1\WinTouch\WTUninstaller.exe
C:\DOCUME~1\JOEOWE~1\MYDOCU~1\SSTEM~1
C:\DOCUME~1\JOEOWE~1\MYDOCU~1\STEM~1
C:\DOCUME~1\JOEOWE~1\STARTM~1\Programs\Outerinfo
C:\DOCUME~1\JOEOWE~1\STARTM~1\Programs\Outerinfo\Terms.lnk
C:\DOCUME~1\JOEOWE~1\STARTM~1\Programs\Outerinfo\Uninstall.lnk
C:\DOCUME~1\JOEOWE~1\STARTM~1\Programs\Startup.\TA_Start.lnk
C:\DOCUME~1\JOEOWE~1\STARTM~1\Programs\Startup\ta_start.lnk
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\sembly~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\Common Files\ystem3~1\?ystem32\
C:\Program Files\Common Files\ystem3~1\smss.exe
C:\Program Files\dobe~1
C:\Program Files\dobe~1\r?ndll.exe
C:\Program Files\mantec~1
C:\Program Files\MSN\rtelekiko.html
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\stem~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\icroso~1
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\wcpsvtr32.exe
C:\WINDOWS\system32\ximbm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\core

((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.

2007-09-16 19:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-15 11:45 812,344 --a------ C:\HJTInstall.exe
2007-09-15 11:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-15 11:44 <DIR> d-------- C:\TAV15.1
2007-09-15 11:43 43,132,528 --a------ C:\TAV15.1_GM_Trial_32bit.exe
2007-09-14 16:43 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-14 16:43 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-14 16:43 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-14 16:43 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-14 16:43 2,912 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-14 16:43 <DIR> d-------- C:\SmitfraudFix
2007-09-14 16:42 1,004,787 --a------ C:\SmitfraudFix.exe
2007-09-13 16:35 7,467,056 --a------ C:\spybotsd15.exe
2007-09-13 15:45 <DIR> d-------- C:\WINDOWS\system32\drvr2
2007-09-13 15:45 <DIR> d-------- C:\WINDOWS\system32\cfig322
2007-09-13 15:45 <DIR> d-------- C:\WINDOWS\system32\capcam
2007-09-13 15:45 <DIR> d-------- C:\Program Files\Insider
2007-09-11 22:31 <DIR> d-------- C:\Program Files\Words
2007-09-11 21:26 <DIR> d-------- C:\WINDOWS\qzqw
2007-09-11 21:26 <DIR> d-------- C:\Program Files\Common Files\qzqw
2007-09-08 22:20 <DIR> d-------- C:\Temp
2007-09-07 20:47 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-09-07 20:47 <DIR> d-------- C:\DOCUME~1\JOEOWE~1\APPLIC~1\acccore
2007-09-07 20:46 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-09-07 20:46 <DIR> d-------- C:\Program Files\AIM6
2007-08-20 18:59 <DIR> d-------- C:\DOCUME~1\JOEOWE~1\APPLIC~1\PC Tools
2007-08-20 18:58 22,528 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2007-08-20 18:58 15,872 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2007-08-20 18:58 15,872 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2007-08-20 18:58 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-08-20 18:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-08-19 20:01 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-19 20:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 21:25 --------- d-------- C:\DOCUME~1\JOEOWE~1\APPLIC~1\Lavasoft
2007-09-13 17:11 --------- d-------- C:\Program Files\LimeWire
2007-09-13 17:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-13 15:45 --------- d-------- C:\Program Files\World of Warcraft
2007-09-13 15:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-09-13 15:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-11 20:29 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI MMC
2007-08-07 15:30 163840 --a------ C:\Program Files\Common Files\mexe22011.exe
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 21:56 --------- d-------- C:\Program Files\Warcraft III
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2003-07-31 16:53 147456 --a--c--- C:\WINDOWS\inf\EL2K_XP.sys
2003-07-31 16:50 448768 --a--c--- C:\WINDOWS\inf\EL2K_N64.sys
2003-07-31 16:43 147456 --a--c--- C:\WINDOWS\inf\EL2K_2K.sys
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\Sk1P\m4Yj.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01F44A8A-8C97-4325-A378-76E68DC4AB2E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66ED011A-0973-4CE1-B6A2-700028626BC1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ABE94192-9410-4CAD-70AB-C2DD26904157}]
C:\Program Files\MSN\qucavoqa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 22:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43]
"CTHelper"="CTHELPER.EXE" [2003-10-06 15:57 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 17:04]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"VOBRegCheck"="C:\WINDOWS\System32\VOBREGCheck.exe" [2003-01-08 16:55]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 17:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-29 20:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-15 13:18]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2001-10-18 14:37]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2001-11-07 05:50]
"RegistryMechanic"="" []
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-05-17 11:41]
"mexe"="C:\Program Files\Common Files\mexe22011.exe" [2007-08-07 15:30]
"{4C-CE-E3-39-ZN}"="C:\Documents and Settings\Joe Owens\Local Settings\Temp\thinksnet.exe" [2007-09-08 22:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2007-06-30 20:36]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2004-05-04 12:07]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 22:02]
"Sblo"="C:\PROGRA~1\COMMON~1\YSTEM3~1\smss.exe" []
"Pjcopnst"="C:\Program Files\?dobe\r?ndll.exe" []
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 10:29]
"Insider"="C:\Program Files\Insider\Insider.exe" [2007-09-11 21:21]
"Words"="C:\Program Files\Words\Words.exe" [2007-09-11 22:31]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-05-17 11:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"gi1415365535"="C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\giK7D0S3.exe" /resume:"C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\22K7CS8B" /exename:"C:\Documents and Settings\Joe Owens\Local Settings\Temporary Internet Files\Content.IE5\4DQF8PA7\FriendFinderMessengerInstaller_adult_2_5_1[1].exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

C:\DOCUME~1\JOEOWE~1\STARTM~1\Programs\Startup\
PowerReg Scheduler V3.exe [2006-09-21 13:50:25]
TA_Start.lnk - C:\Documents and Settings\Joe Owens\Local Settings\Temp\thinksnet.exe [2007-09-08 22:21:05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorrectConnect.lnk]
backup=C:\WINDOWS\pss\CorrectConnect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus Xtreme G Configuration Utility.lnk]
backup=C:\WINDOWS\pss\D-Link AirPlus Xtreme G Configuration Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Joe Owens^Start Menu^Programs^Startup^FriendFinder Messenger.lnk]
backup=C:\WINDOWS\pss\FriendFinder Messenger.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys
R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\lccfltr.sys
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
S3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys
S3 RDID1044;Roland SP-606;C:\WINDOWS\system32\Drivers\rdwm1044.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-17 00:57:17 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-16 19:56:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\{00000000-00000000-0000000B-00001102-00000004-20021102}.CDF

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-09-16 19:57:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-16 19:57
.
--- E O F ---

roguewarrior

2007-09-17, 03:07

New HJS report

roguewarrior

2007-09-17, 03:08

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:05:07 PM, on 9/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\Common Files\mexe22011.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Words\Words.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - blank (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {66ED011A-0973-4CE1-B6A2-700028626BC1} - blank (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: 0 - {ABE94192-9410-4CAD-70AB-C2DD26904157} - C:\Program Files\MSN\qucavoqa.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [mexe] C:\Program Files\Common Files\mexe22011.exe
O4 - HKLM\..\Run: [{4C-CE-E3-39-ZN}] C:\Documents and Settings\Joe Owens\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Sblo] "C:\PROGRA~1\COMMON~1\YSTEM3~1\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Pjcopnst] "C:\Program Files\?dobe\r?ndll.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\RunOnce: [gi1415365535] "C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\giK7D0S3.exe" /resume:"C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\22K7CS8B" /exename:"C:\Documents and Settings\Joe Owens\Local Settings\Temporary Internet Files\Content.IE5\4DQF8PA7\FriendFinderMessengerInstaller_adult_2_5_1[1].exe"
O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Joe Owens\Local Settings\Temp\thinksnet.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 10340 bytes

Shaba

2007-09-17, 16:59

Hi

Do you recognize this?

O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe

We need to disable TeaTimer next. Please keep it disabled until I say you're clean:

# Run Spybot-S&D in Advanced Mode.
# If it is not already set to do this Go to the Mode menu select "Advanced Mode"
# On the left hand side, Click on Tools
# Then click on the Resident Icon in the List
# Uncheck "Resident TeaTimer" and OK any prompts.
# Restart your computer.

After that:

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - blank (file missing)
O2 - BHO: 0 - {66ED011A-0973-4CE1-B6A2-700028626BC1} - blank (file missing)
O2 - BHO: 0 - {ABE94192-9410-4CAD-70AB-C2DD26904157} - C:\Program Files\MSN\qucavoqa.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [mexe] C:\Program Files\Common Files\mexe22011.exe
O4 - HKLM\..\Run: [{4C-CE-E3-39-ZN}] C:\Documents and Settings\Joe Owens\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKCU\..\Run: [Sblo] "C:\PROGRA~1\COMMON~1\YSTEM3~1\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Pjcopnst] "C:\Program Files\?dobe\r?ndll.exe"
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Joe Owens\Local Settings\Temp\thinksnet.exe

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\Program Files\Common Files\mexe22011.exe

Folder::
C:\WINDOWS\system32\drvr2
C:\WINDOWS\system32\cfig322
C:\WINDOWS\system32\capcam
C:\Program Files\Words
C:\WINDOWS\qzqw
C:\Program Files\Common Files\qzqw

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

roguewarrior

2007-09-17, 17:35

ComboFix 07-09-17.2 - "Joe Owens" 2007-09-17 10:30:37.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.680 [GMT -5:00]
Command switches used :: C:\CFScript.txt
* Created a new restore point

FILE::
C:\Program Files\Common Files\mexe22011.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\mexe22011.exe
C:\Program Files\Common Files\qzqw
C:\Program Files\Common Files\qzqw\qzqwa.exe
C:\Program Files\Common Files\qzqw\qzqwd\class-barrel
C:\Program Files\Common Files\qzqw\qzqwd\qzqwc.dll
C:\Program Files\Common Files\qzqw\qzqwd\vocabulary
C:\Program Files\Common Files\qzqw\qzqwl.exe
C:\Program Files\Common Files\qzqw\qzqwp.exe
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words.exe
C:\WINDOWS\qzqw
C:\WINDOWS\qzqw\qzqw.dat
C:\WINDOWS\qzqw\wu
C:\WINDOWS\system32\capcam
C:\WINDOWS\system32\capcam\nab22011.exe
C:\WINDOWS\system32\cfig322
C:\WINDOWS\system32\cfig322\icm33o.exe
C:\WINDOWS\system32\drvr2
C:\WINDOWS\system32\msnav32.ax

.
((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.

2007-09-17 10:14 1,484,009 --a------ C:\ComboFix.exe
2007-09-16 19:51 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-15 11:45 812,344 --a------ C:\HJTInstall.exe
2007-09-15 11:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-15 11:44 <DIR> d-------- C:\TAV15.1
2007-09-15 11:43 43,132,528 --a------ C:\TAV15.1_GM_Trial_32bit.exe
2007-09-14 16:43 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-14 16:43 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-14 16:43 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-14 16:43 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-14 16:43 2,912 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-14 16:43 <DIR> d-------- C:\SmitfraudFix
2007-09-14 16:42 1,004,787 --a------ C:\SmitfraudFix.exe
2007-09-13 16:35 7,467,056 --a------ C:\spybotsd15.exe
2007-09-13 15:45 <DIR> d-------- C:\Program Files\Insider
2007-09-08 22:20 <DIR> d-------- C:\Temp
2007-09-07 20:47 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-09-07 20:47 <DIR> d-------- C:\DOCUME~1\JOEOWE~1\APPLIC~1\acccore
2007-09-07 20:46 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-09-07 20:46 <DIR> d-------- C:\Program Files\AIM6
2007-08-20 18:59 <DIR> d-------- C:\DOCUME~1\JOEOWE~1\APPLIC~1\PC Tools
2007-08-20 18:58 22,528 --a------ C:\WINDOWS\system32\drivers\AVHook.sys
2007-08-20 18:58 15,872 --a------ C:\WINDOWS\system32\drivers\AVRec.sys
2007-08-20 18:58 15,872 --a------ C:\WINDOWS\system32\drivers\AVFilter.sys
2007-08-20 18:58 <DIR> d-------- C:\Program Files\PC Tools AntiVirus
2007-08-20 18:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-08-19 20:01 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-08-19 20:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 21:25 --------- d-------- C:\DOCUME~1\JOEOWE~1\APPLIC~1\Lavasoft
2007-09-13 17:11 --------- d-------- C:\Program Files\LimeWire
2007-09-13 17:06 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-13 15:45 --------- d-------- C:\Program Files\World of Warcraft
2007-09-13 15:45 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-09-13 15:38 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-09-11 20:29 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ATI MMC
2007-07-27 21:56 --------- d-------- C:\Program Files\Warcraft III
2003-07-31 16:53 147456 --a--c--- C:\WINDOWS\inf\EL2K_XP.sys
2003-07-31 16:50 448768 --a--c--- C:\WINDOWS\inf\EL2K_N64.sys
2003-07-31 16:43 147456 --a--c--- C:\WINDOWS\inf\EL2K_2K.sys
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\Sk1P\m4Yj.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-22 22:05]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 10:50 C:\WINDOWS\LOGI_MWX.EXE]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 10:33]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43]
"CTHelper"="CTHELPER.EXE" [2003-10-06 15:57 C:\WINDOWS\system32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-10-13 17:04]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"VOBRegCheck"="C:\WINDOWS\System32\VOBREGCheck.exe" [2003-01-08 16:55]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2003-11-10 17:06]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-29 20:10]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-12-15 13:18]
"ATI DeviceDetect"="C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE" []
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2001-10-18 14:37]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2001-11-07 05:50]
"RegistryMechanic"="" []
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-05-17 11:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\valve\steam\steam.exe" [2007-06-30 20:36]
"ATI Launchpad"="C:\Program Files\ATI Multimedia\main\launchpd.exe" [2004-05-04 12:07]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-19 22:02]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 10:29]
"Insider"="C:\Program Files\Insider\Insider.exe" [2007-09-11 21:21]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2007-05-17 11:41]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"gi1415365535"="C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\giK7D0S3.exe" /resume:"C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\22K7CS8B" /exename:"C:\Documents and Settings\Joe Owens\Local Settings\Temporary Internet Files\Content.IE5\4DQF8PA7\FriendFinderMessengerInstaller_adult_2_5_1[1].exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CorrectConnect.lnk]
backup=C:\WINDOWS\pss\CorrectConnect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus Xtreme G Configuration Utility.lnk]
backup=C:\WINDOWS\pss\D-Link AirPlus Xtreme G Configuration Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Joe Owens^Start Menu^Programs^Startup^FriendFinder Messenger.lnk]
backup=C:\WINDOWS\pss\FriendFinder Messenger.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 9.0]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

R0 viasraid;viasraid;C:\WINDOWS\system32\drivers\viasraid.sys
R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\drivers\lccfltr.sys
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys
S3 itchfltr;iTouch Keyboard Filter;C:\WINDOWS\system32\DRIVERS\itchfltr.sys
S3 NTSIM;NTSIM;\??\C:\WINDOWS\system32\ntsim.sys
S3 RDID1044;Roland SP-606;C:\WINDOWS\system32\Drivers\rdwm1044.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-17 00:57:17 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-17 10:33:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-17 10:33:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-17 10:33
C:\ComboFix2.txt ... 2007-09-16 19:57
.
--- E O F ---

roguewarrior

2007-09-17, 17:37

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:34 AM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\RunOnce: [gi1415365535] "C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\giK7D0S3.exe" /resume:"C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\22K7CS8B" /exename:"C:\Documents and Settings\Joe Owens\Local Settings\Temporary Internet Files\Content.IE5\4DQF8PA7\FriendFinderMessengerInstaller_adult_2_5_1[1].exe"
O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 9293 bytes

roguewarrior

2007-09-17, 17:38

I have also noticed that since the first time I ran combo fix I havent had any pop ups?

Shaba

2007-09-17, 18:33

Hi

"I have also noticed that since the first time I ran combo fix I havent had any pop ups?"

That's a good sign :)

Do you recognize this program?

C:\Program Files\Insider\Insider.exe

roguewarrior

2007-09-17, 18:40

I see that program in the log but im not aware of what it is.

Shaba

2007-09-17, 18:45

Hi

Ok, according to creation time it's bad so we remove it.

Open HijackThis, click do a system scan only and checkmark this:

O4 - HKCU\..\Run: C:\Program Files\Insider\Insider.exe

Close all windows including browser and press fix checked.

Reboot.

Delete this:

C:\Program Files\Insider

Empty Recycle Bin

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ [i]Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

roguewarrior

2007-09-18, 00:02

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:45:13 PM, on 9/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\RunOnce: [gi1415365535] "C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\giK7D0S3.exe" /resume:"C:\DOCUME~1\JOEOWE~1\LOCALS~1\Temp\22K7CS8B" /exename:"C:\Documents and Settings\Joe Owens\Local Settings\Temporary Internet Files\Content.IE5\4DQF8PA7\FriendFinderMessengerInstaller_adult_2_5_1[1].exe"
O4 - HKUS\S-1-5-18\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--
End of file - 9075 bytes

roguewarrior

2007-09-18, 00:07

KASPERSKY ONLINE SCANNER REPORT
Monday, September 17, 2007 5:00:47 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 17/09/2007
Kaspersky Anti-Virus database records: 420063

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 65957
Number of viruses found: 34
Number of infected objects: 209
Number of suspicious objects: 2
Duration of the scan process: 00:52:15

Infected Object Name / Virus Name / Last Action
C:\124.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\124.tmp NSIS: infected - 1 skipped
C:\C7.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\C7.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Joe Owens\Application Data\PC Tools\PC Tools AntiVirus\Application Logs\PCToolsAntivirus.txt Object is locked skipped
C:\Documents and Settings\Joe Owens\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Joe Owens\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Joe Owens\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Joe Owens\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joe Owens\Local Settings\History\History.IE5\MSHist012007091720070918\index.dat Object is locked skipped
C:\Documents and Settings\Joe Owens\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joe Owens\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Joe Owens\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\itouch_crash_info.txt Object is locked skipped
C:\Program Files\Insider\Insider.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\Program Files\Insider\UnInstall.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\02196F95.exe Infected: Trojan-Spy.Win32.Briss.e skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\021C1991.exe Infected: Trojan-Spy.Win32.Briss.j skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\021C1991.tmp Infected: Trojan-Spy.Win32.Briss.j skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B2F24EC.cla Infected: Trojan-Downloader.Java.OpenStream.t skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\120658DD.tmp Infected: Trojan-Spy.Win32.Briss.j skipped
C:\Program Files\PC Tools AntiVirus\PCTAVService.txt Object is locked skipped
C:\qoobox\Quarantine\C\DOCUME~1\JOEOWE~1\APPLIC~1\WinTouch\WTUninstaller.exe.vir Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\qoobox\Quarantine\C\Program Files\Common Files\mexe22011.exe.vir Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\qoobox\Quarantine\C\Program Files\Common Files\qzqw\qzqwa.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\qoobox\Quarantine\C\Program Files\Common Files\qzqw\qzqwl.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\qoobox\Quarantine\C\Program Files\Common Files\qzqw\qzqwp.exe.vir Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\qoobox\Quarantine\C\Program Files\DOBE~1\rυndll.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir NSIS: infected - 2 skipped
C:\qoobox\Quarantine\C\Program Files\Words\UnInstall.exe.vir Infected: Trojan.Win32.Agent.bnd skipped
C:\qoobox\Quarantine\C\Program Files\Words\Words.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.dn skipped
C:\qoobox\Quarantine\C\WINDOWS\b103.exe.vir Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir NSIS: infected - 3 skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\qoobox\Quarantine\C\WINDOWS\b136.exe.vir NSIS: infected - 3 skipped
C:\qoobox\Quarantine\C\WINDOWS\b143.exe.vir Infected: Trojan-Downloader.Win32.Agent.dlx skipped
C:\qoobox\Quarantine\C\WINDOWS\b147.exe.vir Infected: Trojan.Win32.Agent.bnd skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\capcam\nab22011.exe.vir/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\capcam\nab22011.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\cfig322\icm33o.exe.vir Infected: Trojan-Downloader.Win32.Small.fky skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\f02WtR\f02WtR1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\qoobox\Quarantine\catchme2007-09-16_195650.98.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
C:\qoobox\Quarantine\catchme2007-09-16_195650.98.zip ZIP: infected - 1 skipped
C:\RECYCLER\NPROTECT\00031476.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.au skipped
C:\RECYCLER\NPROTECT\00031659.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.au skipped
C:\RECYCLER\NPROTECT\00032134.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.au skipped
C:\RECYCLER\NPROTECT\00032372.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.au skipped
C:\RECYCLER\NPROTECT\00032818.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.au skipped
C:\RECYCLER\NPROTECT\00032980.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.au skipped
C:\RECYCLER\NPROTECT\00033049.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.au skipped
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP378\A0044907.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP378\A0044960.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP381\A0045779.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP383\A0045836.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP392\A0050268.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP392\A0050269.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gc skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP395\A0055452.dll Infected: not-a-virus:AdWare.Win32.PurityScan.fs skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP399\A0058561.dll Infected: not-a-virus:AdWare.Win32.PurityScan.fs skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP400\A0059624.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Rond.b skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP400\A0059624.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP400\A0059624.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP400\A0059624.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP401\A0059670.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP401\A0059671.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP402\A0059738.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063791.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063792.exe Infected: not-a-virus:AdWare.Win32.Agent.dn skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063793.exe Infected: Trojan-Downloader.Win32.Agent.dlx skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063795.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063796.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063797.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063799.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063800.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063801.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063802.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063803.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063830.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063831.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063834.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063836.exe Infected: Trojan-Downloader.Win32.Small.fky skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063837.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063837.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0063838.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP404\A0064018.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064357.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064358.exe Infected: not-a-virus:AdWare.Win32.Agent.dn skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064359.exe Infected: Trojan-Downloader.Win32.Agent.dlx skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064361.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064362.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064363.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064365.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064366.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064367.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064368.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064369.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064396.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064397.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064400.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064402.exe Infected: Trojan-Downloader.Win32.Small.fky skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064403.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064403.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064404.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP405\A0064584.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064923.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064924.exe Infected: not-a-virus:AdWare.Win32.Agent.dn skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064925.exe Infected: Trojan-Downloader.Win32.Agent.dlx skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064927.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064928.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064929.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064931.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064932.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064933.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064934.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064935.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped

roguewarrior

2007-09-18, 00:08

Part 2

C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064962.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064963.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064966.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064968.exe Infected: Trojan-Downloader.Win32.Small.fky skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064969.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064969.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0064970.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP406\A0065150.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065496.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065497.exe Infected: not-a-virus:AdWare.Win32.Agent.dn skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065498.exe Infected: Trojan-Downloader.Win32.Agent.dlx skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065500.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065501.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065502.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065504.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065505.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065506.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065507.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065508.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065535.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065536.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065539.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065541.exe Infected: Trojan-Downloader.Win32.Small.fky skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065542.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065542.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065543.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP407\A0065723.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066061.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066062.exe Infected: not-a-virus:AdWare.Win32.Agent.dn skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066063.exe Infected: Trojan-Downloader.Win32.Agent.dlx skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066065.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066066.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066067.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066069.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066070.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066071.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066072.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066073.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066100.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066101.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066104.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066106.exe Infected: Trojan-Downloader.Win32.Small.fky skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066107.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066107.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066108.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066288.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066620.exe/dsr.dll Infected: not-a-virus:AdWare.Win32.ImiBar.h skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066620.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066620.exe MimarSinan: infected - 1 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066620.exe UPX: infected - 1 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066622.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066622.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066622.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066622.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066622.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066625.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066626.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066627.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066630.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066631.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP408\A0066646.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP409\A0066819.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP409\A0066820.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP409\A0066820.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP409\A0066820.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP410\A0068956.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP410\A0068957.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP410\A0068957.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP410\A0068957.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069011.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069012.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069012.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069012.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069012.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069013.exe/stream/data0002 Infected: Trojan-Dropper.Win32.Agent.bfr skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069013.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069013.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069013.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069015.exe Infected: Trojan-Downloader.Win32.Agent.dlx skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069016.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069019.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fz skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069020.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069020.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069020.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069024.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP411\A0069027.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP412\A0070227.exe Infected: Trojan-Downloader.Win32.Small.fky skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP412\A0070228.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP412\A0070228.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP412\A0070229.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP412\A0070230.exe Infected: not-a-virus:AdWare.Win32.Agent.dn skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP412\A0070231.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP412\A0070232.exe Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP412\A0070233.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP412\A0070236.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{21C876C5-B79F-49CF-B2FF-234FFEF7EA40}\RP412\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{616E5522-C639-46D9-8E61-BA3B374B7E75}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000000-00000000-0000000B-00001102-00000004-20021102}.CDF Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Shaba

2007-09-18, 16:44

Hi

Empty these folders:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
C:\qoobox\Quarantine\
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine

Delete these:

C:\124.tmp
C:\C7.tmp

Empty Recycle Bin

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

roguewarrior

2007-09-18, 18:32

Well I havent had any pop ups in awhile so it must be good. I couldnt empty the file C:\qoobox\Quarantine\

It wont let me delte them. Also, how do I delete the other 2?

C:\124.tmp
C:\C7.tmp

I aslo bought the Kaspersky Virus protection. Hope its a good one.

Shaba

2007-09-18, 18:35

Hi

"I couldnt empty the file C:\qoobox\Quarantine\"

Empty it in safe mode.

Boot your computer in Safe Mode.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

"Also, how do I delete the other 2?

C:\124.tmp
C:\C7.tmp"

Delete these in safe mode as well, using using Windows Explorer (windows button + E) or My Computer -> Local Disk C:

"
I aslo bought the Kaspersky Virus protection. Hope its a good one."

You can bet :)

If you have installed it, you should uninstall PC Tools AntiVirus. Only one antivirus active/computer.

roguewarrior

2007-09-20, 01:55

Well I cant seem to get my computer to start in safe mode?

Shaba

2007-09-20, 09:21

Hi

Do you get Windows Advanced Options Menu?

Shaba

2007-09-27, 17:10

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.